Proxy.

Main page of the module.

Proxy server is the service that helps its clients to make indirect requests to other network services. The client connects to a proxy-server and make a request for some web-resource, located in the other server. Then proxy either connects to the required server and receive some response from it, or returns some response from its own cache (if any client has requested this resource already). In some cases client request and server response can be altered by proxy for some purposes.

Proxy server also caches objects, received by users from internet, and through this reduces traffic usage and increases connection speed.

At the entrance to the module you can see service status, “Disable” (or “Enable” if the module is currently off) button and recent log messages.

Settings.

Usually to use proxy you should specify its address and port in the browser options. But if you don’t need to authenticate users by login/password pair, you can use “transparent proxy” function.

In this case all HTTP requests from the local network will automatically go through proxy-server. So, you’ll have an oportunity to filter and count traffic despite settings on local machines.

Default proxy server port is 3128, but in the “settings” you can specify whatever port you like.

Authorization types.

ICS CUBE proxy-server allows two ways of authorization: through user ip-address and through login/password pair.

Authorization through IP-address is useful, when employee uses the same computer constantly. Proxy defies the owner of the traffic through the IP-address of his computer. This is not the way for terminal servers, because in this case many users share the same IP-address. Also it is not the way for organisations, where employees don’t have a permanent work place. Above all, the user can change his IP-address, and, if you didn’t set up binding between MAC and IP-addresses, ICS CUBE will consider him as someone else.

Login/password authorization resolves the problem of linking user to a computer. In this case, when user sent first request, browser will show login/password form, which he must fill for have access to internet. If you have domain authorization in your network, you can choose “domain authorization” option. In this case, if ICS CUBE is connected to the domain controller, and users were imported from this domain, authorization will be transparent to users, and browser would not ask them for login and password.

This way has a disadvantage: it doesn’t work with transparent proxy, so, in all software that use internet, proxy address should be entered manually.

Above all, you should remember, that proxy authorization is used only for HTTP-traffic. Internet access for software which use other protocols, is regulated by firewall, and firewall can authorize only by IP-address. In other words, if employee use only login/password authorization, he couldn’t use mail, or jabber, or torrent-client, and other programs which cannot use HTTP-proxy.

Page caching.

Proxy server performs caching of the web-pages and objects that users download from internet. This way you can reduce traffic and increase speed when surfing web-pages through ICS CUBE.

The efficiency of cache is depending on its size. For the organization that has a lot of users, we recommend to set several gigabytes for cache (in the appropriate field). You can also limit download files size in the field “Limit response size” (in Mb).

The option “Hide user IP” lets you turn off the mention of IP-address in the frame of the packet (forwarded_for parameter).

You can check cache content in the tab “Cache”. But you should remember, that web-interface doesn’t show all of the cache content, but only a part of it, like images.

Transparent proxy.

In this mode instead of listening for users requests at the proxy post, ICS CUBE redirect them all to the proxy itself. The proxy server processes the request (using cache whenever possible) and sends content back to the user. For user it looks like he is getting the answer from the server he had requested. In this model, user can even be unaware that his traffic goes through proxy server. By default, transparent proxy listens to 80 port (HTTP).

You can define, whether to turn on or off the transparent proxy for DMZ and LANs, using appropriate checkboxes in settings menu. By default transparent proxy is turned off for DMZ and on for LANs.

There are some programs that can turn suspicious when they notice proxy interference. You can add their addresses in “Transparent proxy exceptions” and theirs traffic won’t be processed by proxy.

For implementing HTTPS-filtration you should fill the “Certificate for HTTPS filtering” field with previously created root certificate. All addresses that should not be filtered with this certificate, they may be added to exceptions.

SOCKS5.

SOCKS is a network protocol that allows client-server applications to use transparently the services that are located behind a firewall. When a client from behind a firewall needs access to an external server, he can connect to SOCKS proxy server instead. That kind of proxy server controls client access rights for external resources and redirect requests to the server. SOCKS can be user contrariwise, giving access rights for connection to the servers behind firewall.

Unlike HTTP proxy servers, SOCKS redirects all client data without altering it. So, from the perspective of the target server, SOCKS-proxy is just an ordinary client. SOCKS is more versatile – it is not dependent on application protocols (level 7 of OSI/ISO model) and is based on TCP/IP standart – level 4 protocol. But HTTP proxy can cache transmitted data and filter them more thoroughly.

You can use SOCKS5-server as a part of proxy server for non-HTTP protocol authorization. By default the access port is 1080, but you can change it if you like. It uses IP-based authorization, but, filling the appropriate checkbox, you can initiate login/password authorization.

Antivirus.

ICS CUBE can analyze traffic that passes through proxy server with antivirus. In the 7th version of ICS CUBE there are 2 antivirus modules: free ClamAV antivirus and non-free - Kaspersky Antivirus. For antivirus to start working, the license should be purchased and installed in the module.

Also, for turning on antivirus analyze for web-traffic (by any of these modules), it’s necessary to turn on this option in proxy settings. The “maximum size parameter” defines maximum size of a file, that passes through antivirus. All files that are bigger than this, would not be scanned, and it can sufficiently increase efficiency.

It’s recommended to turn on images analysis, cause there are viruses, that use ordinary pictures, but scanning pictures as usual increase system resource usage by the antivirus, and when a lot of pictures are processing, performance of the server can be reduced.

Allowed ports.

You can choose, through which ports clients are allowed to connect to external servers using proxy. The list of allowed ports for SSL defines, which ports are allowed for access using the CONNECT method.

ICAP.

ICAP (Internet Content Adaptation Protocol) – is the protocol for extended proxy functions. In most cases it is used for virus scanning of traffic and for applying different content-filters. You can add an external ICAP-server in ICS CUBE, by filling the checkbox in settings and entering its address.

Three last checkboxes will turn on DLP, content filter and SkyDNS.

Proxy autoconfiguration.

If you don’t want to set proxy address on each workstation, you can use autoconfigurator. In this case in user’s browsers an option “auto-detect proxy” setting must be chosen, and all the rest will be done by ICS CUBE.

It can be turned on with checkpoints in this tab. You can mark one or several of available protocols (HTTP, HTTPS).

The script public option is defining whether it would be available on the server IP-address, or on the virtual host with a domain name. When you choose virtual host, it would be created in the system automatically. By marking the “Create a record on DNS server” checkbox you’re instructing ICS CUBE to add automatically the zone and all domain names that are necessary for this virtual host.

Publish proxy autoconfiguration script for DHCP – this parameter sent proxy settings to all DHCP-clients of the server.

Parent proxy.

If there is several proxy servers in your organization and they have hierarchy, then the one that is standing on top of ICS CUBE would be a parent proxy for him. Also, any node can act as a parent proxy as well.

For ICS CUBE to redirect requests, that are coming to his proxy server to the parent proxy, you can enter its IP-address and destination port in the “Parent proxy” tab.

Proxy servers can use ICP protocol for cache exchange. In case you’re working through several proxy, it can significantly increase efficiency. If your parent proxy supports this protocol, you can mark the related checkbox and define a port for this service (by default it’s 3130).

If you parent proxy requires authorization, you can enter login and password in the fields below.

Expectation for authorization.

This tab is used to configure the proxy server so that it does not require authorization when: processing requests from a specific host on the network and / or when accessing a specific host. The “Add” and “Delete” buttons are displayed in the main window, respectively, to add and remove information about exceptions for authorization in the proxy server. As well as a table containing sets of exceptions. When adding an exception, the following fields are available:

“Source”. Allows you to specify the IP-address or network for the traffic source for which proxy authentication will not be performed. This will lead to the fact that traffic coming from the specified IP-address or network will not be taken into account in statistics for certain Users. But it will be taken into account in general statistics.

“Destination”. As a destination it is possible to specify: IP-address; IP / mask; domain name; subdomains excluding the main domain (for example, “.google.com” - authorization will not be requested when contacting drive.google.com, but authorization will be requested when contacting google.com); the regular expression in the format is / regex / gi (for example, /.*.ai.\.ru/gi - allows the mail.ru domain and its subdomains). The rules for filling this field also apply to fields containing URLs when creating prohibiting, allowing rules or proxy exceptions.

“Description”. Allows you to specify an arbitrary description for the created rule.

“Disabled”. Allows you to disable the created rule.

Cache.

In here you can look at some elements of web-pages (mostly pictures), which are stored in cache, and also you can clear cache completely.

Log.

In “Log” tab is located summary of all proxy service log. It is divided to several pages, you can use “Next” and “Previous” buttons for navigation or enter page number to go directly to it.

Log messages differ in color depending on its type. Ordinary messages are white, system condition messages (turning on/off, cache processing) are green, and errors are red.

In the right top corner the search is located. You can use it to find anything you need in the log.

Log always shows current day events. If you want to see log from another date, just choose the date you need, using the calendar in the left top corner of the module.